Unsolicited mass e-mail or “spam” has become a serious problem for all Internet users. A user can receive tens of hundreds of spam messages in a given day. Some companies specialize in creating distribution lists that allow senders of spam or “spammers” to easily reach millions of undesiring recipients with advertisements and solicitations.
In view of the increasing burden created by spam, efforts have been made to filter spam before it reaches its intended recipients. Some conventional spam filters block or filter messages originating from a particular source address that has been previously associated with a spammer. One drawback with these types of conventional filters is that they are often too slow to effectively react to distributed spam “attacks” (i.e., bursts of many spam messages transmitted to a large number of recipients in a relatively short period of time). Spammers often change the addresses from where they transmit spam messages, and once a filter determines that an address is originating spam, it may have already transmitted thousands of messages that were received by undesiring recipients. Also, many of these conventional filters will block messages based on originating address only after a particular customer or client receives more than a predetermined number of spam messages. As a result, these conventional filters are ineffective to inhibit spammers who issue mass spam mailings to many different recipients, if each recipient receives only a limited number of mailings.
The present invention provides an improved system and method for analyzing spam e-mails using a distributed network that promptly detects a spam attack based on an originating IP address. The system and method monitor e-mail messages received by different clients across the distributed network, determine when the number of messages from an IP address communicated to multiple clients has exceeded an acceptable threshold, and take corrective measures in response to such a determination, such as generating an alert to a spam analyst or automatically blocking future e-mail messages from the IP address.